April 23, 2014

58% of vulnerabilities which exploit kits try to use are over 2 years old

solutionary-logo(LiveHacking.Com) – A new report from the security company Solutionary, has revealed that 58% of the vulnerabilities targeted by the top exploit kits are at least two years old. In total the company looked at 26 of the most common exploit kits and found exploit code from nine years ago. The fact that code from 2004 is still in the kits implies that old vulnerabilities are still fruitful for cyber criminals.

Further analysis showed that 58% of the vulnerabilities targeted are over two years. Solutionary also say that number of newly discovered and disclosed vulnerabilities has declined since 2010.

It seems as if Russia the center for exploit development with 70 percent of kits released or developed there. Following Russia comes China and Brazil. Of these kits BlackHole 2.0 continues to be the most often-used exploit kit while the lesser known Phoenix 3.1 exploit kits offers the highest number of vulnerabilities.

“The fact that cyber criminals are able to penetrate network defenses by targeting aging vulnerabilities and using old techniques demonstrates that many organizations are still playing catch-up when it comes to cyber security,” said Rob Kraus of Solutionary. “Exploit kits largely focus on targeting end-user applications. As a result, it is vital that organizations pay close attention to patch management and endpoint security controls in order to significantly decrease the likelihood of compromise.”

The popularity of BlackHole was also confirmed when Solutionary saw that 30% of the malware samples are indirectly linked to BlackHole exploit kit, while 18% of the malware samples directly attributed to BlackHole.

On the effectiveness of anti-virus solutions, the report found that anti-virus and anti-malware software cannot detect 67 percent of malware being distributed.

The rise of the Sweet Orange exploit kit

(LiveHacking.Com) –  Since the main purpose of malware is to create money it is only to be expected that as many parts as possible of the process are streamlined and automated. This is why many bits of malware use command and control (C & C) servers to automated the infection, spreading and ultimately the fraudulent aspects of the malware. Another aspect which is the highly streamlined is the creation of the virus or trojan that infects and delivers the payload to a victim’s computer. To this end malware authors have developed things called exploits kits which allow the criminals to create new viruses with the desired payload in a very short amount of time. The most popular exploit kit is known as Black Hole, it accounts for some 40 percent of all toolkits detected.

Version 2.0 of Black Hole was recently released and it claimed to be harder for anti-virus programs to detect it. But Black Hole isn’t the only exploit kit in town. One of the competing exploit kits is known as “Sweet Orange.” According to Chris Larsen of Blue Coat, malware analysts are finding more and more examples of Sweet Orange based malware.

Sweet Orange is similar to other exploit kits in that it has a database backend to store information about successful infections and statistic gathering about exploits for Java, PDF, IE and Firefox. However it does claim something quite unique, according to the sales copy Sweet Orange is able to drive 150,000 unique visitors to a site every day.

Since the whole process is automated it means that the ferocity of Sweet Orange is high. With an infection rate of up to 15% and 150,000 unique visitors a day to the predefined malicious webpage that means that 10,000 new PCs are infected every day. That is 300,000 in one month, a huge pool of victim’s exposed to banking trojans or false AV malware etc.

Such a high rate of infection needs a substantial infrastructure, the problem is that this infrastructure remains hidden and only parts of it can be seen, rather like an iceberg.

“Thanks to WebPulse, and the amount of traffic that comes through each day, Blue Coat can see a lot more of the iceberg,” said Jeff Doty of Blue Coat. “In my research, I found 45 different IP addresses (and a total of 267 different domains) that are dedicated to Sweet Orange.”

BlackHole exploit kit 2.0 released and its all about the money

(LiveHacking.Com) – A new version of the popular Black Hole exploit kit has been released. According to an entry on Pastebin, V2.0 has been rewritten from scratch to make it harder for anti-virus programs to detect it. Black Hole is one of the most popular exploit kits used onlne and accounts for just under 40 percent of all toolkits detected by AVG. The key element in the announcement is not so much the new features (which I will look at below) but the fact that the “advert” contains a list of the prices for server rentals and mentions that the prices have remained the same. Don’t ever loose sight of the fact that malware writing is all about the money.

So what are the prices, how much does it cost to be a cyber criminal nowadays? To rent a command and control server from the BlackHole creators cost just $50 per day with a limit of 50,000 hits. If you want to use your own server then you need to by a license (ironic, no!),  and that costs $700 for 3 months or $1500 for a year.

Among the new features is the use of a CAPTCHA on the administration panel login page to prevent security companies performing brute force attacks against the servers. Plus the kit adds new dynamically generated URLs, which are valid for a few seconds. These kind of “enchancements” aren’t to do with how BlackHole actual explots vulneravilitries on victim’s PCs, but rather they are designed purley to make life harder for security researchers and securty companies. In fact, the announcement says that the team have “developed and implemented a lot more features about which bragging and shouting in public is simply not reasonable, because competition and the AV companies do not nap.”

Exploit Kits Updated to Use Recent Java Vulnerability

(LiveHacking.Com) – One of the biggest threats to Internet users isn’t the actual individual vulnerabilities found in operating systems (like Windows or OS X), web browsers (like IE, Firefox and Chrome) or software (like Adobe Acrobat or Flash) but the exploit kits which combine the exploits for these known vulnerabilities into a kit which is then deployed by cyber criminals and malware writers to infect and control victim’s computers.

Although attacks can be launched (and have been launched) using  individual vulnerabilities, the greatest damage is done with these exploit kits and the cyber criminals know it. And it seems that the speed of development of these kits is increasing. Until recently exploit kits tended to use exploits which have been known for at least a year and their development seemed to be slow. However according to research by M86 Security two “popular” exploit kits have been updated to exploit a vulnerability in Java which was discovered less than two months ago.

CVE-2011-3544, which was discovered by Michael ‘mihi’ Schierl, allows arbitrary Java code to run outside of the sandbox due to a vulnerability in the Rhino Script Engine. Not long after the discovery, an exploit module was published in Metasploit. And now the Blackhole exploit kit was modified to exploit clients that have Java installed, using the CVE-2011-3544 vulnerability. A few days later, a new version of Phoenix exploit kit 3.0 was released,  only a few weeks after the release of its predecessor, Phoenix 2.9.

“The vulnerability is cross-platform and doesn’t require heap spray or buffer overflow techniques. That makes it very effective and therefore authors of exploit kits rushed to add it to their kits. The concerning aspect is that the Blackhole exploit kit was updated even before a patch was released by the vendor” wrote Daniel Chechik.

What this shows is that cybercriminals aren’t actively relying on zero day flaws but rather they are using known (and patched) vulnerabilities.

MySQL.com Hacked To Serve Up Malware

(LiveHacking.Com) – MySQL.com was hacked yesterday to redirect users to a site that downloaded and executed malicious code on the visitor’s Windows computer without any user interaction. The site has since been cleaned up and is now working normally.

According to Armorize, who first reported the problem, the hack used a combination of JavaScript and iframes to send the user to truruhfhqnviaosdpruejeslsuy.cx.cc, a domain specifically created to spread the malware. From there the hacker used the BlackHole Toolkit to infect the visitor’s Windows PC with malware without the visitor’s knowledge. The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform resulted in an infection.

The BlackHole Toolkit attempts to exploit a large number of weaknesses on the visitor’s computer including the browser and the browser plugins like Adobe Flash, Adobe PDF,  Java etc. Any visitors with an out-of-date browser or any unknown (zero-day) exploits will allow the toolkit to infect the PC.

It is estimated that MySQL.com receives almost 12 million visitors a month (nearly 400,000 a day), meaning that there was large number of  potential victims whilst the site was infected.

MySQL.com was also attacked in March, when hackers “TinKode” and “NeOh” took credit for exploiting a SQL injection flaw. As a result they posted a list of usernames and passwords online.